Activity log for bug #1714413

Date Who What changed Old value New value Message
2017-09-01 04:38:12 Felipe Monteiro bug added bug
2017-09-01 04:38:38 Felipe Monteiro patrole: importance Undecided High
2017-09-01 04:40:03 Felipe Monteiro description Currently, Patrole switches the role for the primary Tempest creds in order to do RBAC testing validation. This is a harmless act when using dynamic credentials, as they are deleted after test execution anyway. However, when using pre-provisioned credentials, this means that the roles for the set of credentials included in the accounts.yaml file is permanently changed -- even after test execution. The credentials in the accounts.yaml acquire the test role defined by `[patrole] rbac_test_role` but lose the original roles before running any Patrole tests. This means that it is entirely possible that the roles enumerated in the accounts.yaml may be wrong after test execution. Thus, Patrole testing can cause the pre-provisioned credentials to behave unexpectedly when running, for example, regular Tempest tests using the same credentials. Because this behavior is undesirable, Patrole should restore any credentials changed during test execution after test execution using the `atexit` module which calls the `_restore_credentials` callback on interpreter termination. Note that this is not a bulletproof solution because, as the `atexit` docs mention [0]: The functions registered via this module are not called when the program is killed by a signal not handled by Python, when a Python fatal internal error is detected, or when os._exit() is called. Under normal circumstances, however, this commit ensures that the credentials that are modified during test execution are restored to their original values if pre-provisioned credentials are set up in tempest.conf. Note that this behavior can best be confirmed when using one set of primary/admin creds in the accounts.yaml file and running the tests serially so that the creds that are modified belong to the only Member-role creds defined in the accounts.yaml file. [0] https://docs.python.org/2/library/atexit.html Currently, Patrole switches the role for the primary Tempest creds in order to do RBAC testing validation. This is a harmless act when using dynamic credentials, as they are deleted after test execution anyway. However, when using pre-provisioned credentials, this means that the roles for the set of credentials included in the accounts.yaml file is permanently changed -- even after test execution. The credentials in the accounts.yaml acquire the test role defined by `[patrole] rbac_test_role` but lose their original roles after running any Patrole tests. This means that it is entirely possible that the roles enumerated in the accounts.yaml may be wrong after test execution. Thus, Patrole testing can cause the pre-provisioned credentials to behave unexpectedly when running, for example, regular Tempest tests using the same credentials. Because this behavior is undesirable, Patrole should restore any credentials changed during test execution after test execution using the `atexit` module which calls the `_restore_credentials` callback on interpreter termination. Note that this is not a bulletproof solution because, as the `atexit` docs mention [0]:   The functions registered via this module are not called when the   program is killed by a signal not handled by Python, when a Python   fatal internal error is detected, or when os._exit() is called. Under normal circumstances, however, this commit ensures that the credentials that are modified during test execution are restored to their original values if pre-provisioned credentials are set up in tempest.conf. Note that this behavior can best be confirmed when using one set of primary/admin creds in the accounts.yaml file and running the tests serially so that the creds that are modified belong to the only Member-role creds defined in the accounts.yaml file. [0] https://docs.python.org/2/library/atexit.html
2017-10-12 08:58:49 Ghanshyam Mann bug added subscriber Ghanshyam Mann